Differential Spectrum of Some Power Functions With 
Low Differential Uniformity 



Sung-Tai Choi a , Seokbeom Hong a , Jong-Seon No a , Habong Chung b 

a Department of Electrical Engineering and Computer Science, INMC 
Seoul National University, Seoul 151-744, Korea 
b School of Electronics and Electrical Engineering 
Hongik University, Seoul 121-791, Korea 



Abstract 

In this paper, for an odd prime p, the differential spectrum of the power 

function x~^~ in F p n is calculated. For an odd prime p such that p = 
3 mod 4 and odd n with k\n, the differential spectrum of the power function 

xp k + 1 2 in F p n is also derived. From their differential spectrums, the 
differential uniformities of these two power functions are determined. We 
also find some new power functions having low differential uniformity. 

Keywords: Almost perfect nonlinear, Differential crypt analysis, 
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1. Introduction 

Let p be a prime number and ¥ pn the finite field with p n elements. Let 
f(x) be a mapping from ¥ p n to ¥ p n. Let N(a,b) denote the number of 
solutions x G ¥ p n of f{x + a) — f(x) = b, where a G F* n and b G ¥ p n. Then 
the differential uniformity Af is defined as 

At = max N(a, b). 

agF; n ,be¥ p n 

Nyberg defined a mapping to be differential fc-uniform if = k. This 
differential uniformity is of interest in cryptography because differential and 
linear cryptanalysis exploit the weakness in the uniformity of the substitu- 
tion functions which are used in data encryption standard (DES), advanced 
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encryption standard (AES), and many other block cipher systems. For ap- 
plications in cryptography, one would prefer functions having A f as small as 
possible. Hence the functions with low Af have been searched extensively 



[6|]-[14|. Especially for an odd prime p, there exist functions with Af — 1, 
which are said to be perfect nonlinear (PN). The functions with Af = 2 are 
said to be almost perfect nonlinear (APN). Some more functions having low 
differential uniformity are studied in jsj and (l6| . 

Let f(x) be the power function given as f(x) = x d . For any a G F*„ and 
b G F p n, the differential equation f(x + a) — f(x) = b can be rewritten as 

+ 1)" -(-)")= 6 > 



a 



which means that 



N(a,b) = N(l,h. 



a d ' 



Hence, in dealing with power functions, we can only consider N(l, b) instead 
of N(a,b). 

The differential spectrum of the function f(x) with A/ = k is defined as 
(oj , Coh, . . . , Uk), where Ui denotes the number of b G ¥ p n such that N(l, b) = 
i. In [3(, the differential spectrum of substitution functions is introduced and 
its relation to differential attacks on block ciphers is discussed. In j5j, the 
relationship between the differential spectrum of x 2 * -1 and x 2 " * + ~ 1 in ¥2^ 
is derived and the differential spectrum of x 2 _1 for t G {3, [n/2\, \n/2] + 
1, n — 2} is also calculated. Still, there have been not so many researches on 
the differential spectrum of certain functions. 

k 1 

In |6j, for an odd prime p, the power function x^~ in F p n was first ana- 
lyzed with respect to differential uniformity. It was shown that its differential 
uniformity is upper bounded as Af < gcd((p fe — l)/2,p 2n — 1). Nevertheless, 
the upper bound is not tight in some cases of p, n, and k, which motivates 
us to derive the exact value of Af for x^ p +1 )/ 2 in this paper. 

P k +i 

In this paper, for an odd prime p, the differential spectrum of x~^~ in 
F p n is derived. For an odd prime p such that p = 3 mod 4, odd n, and k\n, 



the differential spectrum of xp k+1 2 in F p n is also derived. Based on the 
results, some new functions with low differential uniformity Af are found. 
This paper is organized as follows. In Section [21 some preliminaries and 

notations are stated. In Section [31 the differential spectrum of x~^~ in F„n 
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is proved. In Section HI the differential spectrum of xp k+1 2 in F p n is 
calculated. The conclusion is given in Section [5j 

2. Preliminaries and Notations 

Let p be an odd prime, a be a primitive element of the finite field ¥ p n, 
and p n — si + 1. Then the cyclotomic classes Cj, < i < s — 1, in F p n are 
defined as 

d = {a st+t \ t = 0, 1, 1}, < % < s - 1. 

Note that Cj's are pairwise disjoint and their union is the multiplicative group 
of F p n denoted by F*„ = F p n \ {0}. Then the cyclotomic number (i,j) s is 
defined as the number of solutions (xj, Xj) G Cj X Cj for Xj + 1 — Xj. 

Lemma 1 (Lemma 6 [l7t] ) . When s = 2, the cyclotomic numbers {1,3)2 — 
(i,j) are given as: 

1) p n = 1 mod 4; 

(0,0) = ^^; (0,1) = (1,0) = (1,1) 

2) p n = 3 mod 4; 

(0,0) = (1,0) = (1,1) = ^; (0,1) 

□ 

For s = 2, let < i,j < 1, be the set defined as 

Eij = {x G F*„ \x G Cj and x + 1 G CJ. (1) 

Then (z,j) = \E tj \. 

In the following lemma, we are going to express each x G in terms of 
the primitive element of F p n or F p 2n. Let [a, 6] denote the set of consecutive 
integers between a and b including a and b, that is, [a,b] = {a, a + 1, . . . , b}. 

Lemma 2. Any element x in E Q0 can be represented as 



p n -l 
4 

p n + 1 
4 



where t varies over 71 = [1, {p n — 3)/4] /or p n = 3 mod 4 and over 7^ = 
[1, (p n — 5)/4] forp n = 1 mod 4. Am/ element x in En can be represented as 



a 1 — 7 1 a ^ 2 



*=n — § — ) (3) 

where 7 = — 1 and i varies over 7i forp n = 3 mod 4 and 7 = —a and t varies 
over I2 U {0} /or p n = 1 mod 4. Any element x in E10 can be represented as 

x =( o ( 4 ) 



where 6 = /^p" -1 )/ 2 and (3 is a primitive element in F p 2« and t varies over 7i 
forp n = 3 mod 4 and over 72U{(p n —l)/4} = [1, Qo n — 1)/4] forp n = 1 mod 4. 
Finally, any element x in E m can be represented as 

,pt+l _ S -(2t+l) 2 
^= o ( 5 ) 



where t varies over T\ U {0} = [0, — 3)/4] for p n = 3 mod 4 and over 
r 2 U {0} = [0, (p n - 5) /4] /or p n = 1 mod 4. 

Proof. For x G £7 o, we can set x + 1 = u 2 and x = v 2 for some n, v G F*„. 
Then we have n 2 — n 2 = (u + r)(n — n) = 1. Let u + v = a f . Then we 
have n = (a* + a - *)/2 and n = (a* — a~ t )/2. Hence x in -E o is represented 
as x = (a 1 — a~*) 2 /4. Then we have to determine the range over which t 
varies. From Lemma (U we know that \Eqq\ = (p n — 3)/4 for p n = 3 mod 4 
and (p n — 5)/4 for p n = 1 mod 4. It is easy to check that {a*, a - *, —a 1 , — at - *} 
induce the same x in (J2]). Note that t — makes x = and t = (p n — l)/4 
makes 2 = when p n = 1 mod 4. Hence t varies over 1 < £ < (p n — 3)/4 for 
p ra = 3 mod 4 and 1 < t < (p n — 5)/4 for p n = 1 mod 4. 

For x G -En, we can set x+1 = 7« 2 and x = 7t> 2 for some u, v G F*„, where 
7 is a nonsquare in F*„. Then we have u 2 — v 2 = (u + v)(u — v) = 7 _1 . Let 
u + v = a 1 . Then we have u — v = 7~ 1 a~* and thus u = (a* + 7 a _ *)/2 and 
n = (a* — 7~ 1 a - *)/2. Hence x G -En is represented as x = 7(0:* — 7~ 1 a _ *) 2 /4. 
Now, we have to determine the range over which t varies. From Lemma 
[H we know that \E U \ = (p n - 3)/4 for p n = 3 mod 4 and (p n - l)/4 for 
p n = 1 mod 4. It is easy to check that {a*, — a*, •y~ 1 a~ t , — •y~ 1 a~ t } induce 
the same x in fl3]). Clearly, for the case of p n = 3 mod 4, if we set 7 = —1, 
then each £ in T\ makes distinct x in En. For the case of p n = 1 mod 4, each 
t in 72 makes distinct 2 in En for 7 = —a similarly. 
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For x G Exo or Eqi, the proof becomes a little more tricky. For x G Ei , we 
can set x + 1 = u 2 and x = jv 2 for some u, v G F p n, where 7 is a nonsquare 
in F*n. Then we have u 2 — jv 2 = 1, which can be factorized in F p 2n as 
u 2 — jv 2 — (u + Xv) (u — Af) = (it + Aw) (it + A p "f ) = (w + \vY n+1 = 1, where 
A and —A = A p ™ are the two solutions in F p 2 7l of X 2 = 7 PJ. Since u + Xv 
is the (p n + l)-st root of unity in F p 2n, we can set u + Xv = /3(p n_1 )* = 5 2i , 
where 5 = /^p"" 1 )/ 2 and /3 is a primitive element of ¥ p 2n. Since u + Xv = 
5 2t and w — Xv = 5~ 2 \ we have x = (5 2t — <5 _2 *) 2 /4. Then we have to 
determine the range over which t varies. From Lemma (TJ we know that 
\E W \ = (p n - 3)/4 for p n = 3 mod 4 and (p n - l)/4 for p n = 1 mod 4. Note 
that {5 2t , 5~ 2t , —5 2t , —5~ 2t } induce the same x in (jl]). The values t = and 
i = (p n + l)/2 which make x = and i = (p n + l)/4 which makes x = — 1 
should be excluded. Then each i G 71 gives distinct a; for p n = 3 mod 4 and 
so does t G ?2 U {(p n — l)/4} for p n = 1 mod 4. We can prove the case for 
a; G -Eoi similarly. □ 

p fc +i 

3. The Differential Spectrum of x 2 in F p ™ 

In j^], for an odd prime p, the upper bound on differential uniformity Af 

of the power function f[x) = x~^~ in ¥ p n is derived. The result is stated as 
in the following theorem. 

Theorem 1 (Theorem 11 0]). Let f(x) = x d be the function defined on 
F p n, where p is an odd prime and d = (p k + l)/2. Then we have 

A/<gcd(^,p--l). 

□ 

However, in some cases of p, n, and k, the upper bound is not tight, which 
motivates us to derive the differential spectrum and the differential unifor- 
mity A f . The following lemmas are needed for the proof of the subsequent 
lemmas and theorem. 

Lemma 3. Define the set A = [1, N] for a positive integer N. Assume that 
N = r mod v for a nonzero integer v and q is a quotient so that N = qv + r. 
Let n M denote the number of elements a G A such that a mod v is either +fi 
or —fi for an integer < fi < v/2. Then is computed as: 
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for \i = or /i = | 



< r with even v 



> r with even v. 




2(g + l) 

2q, 



for v — r < ji < r 

for /i > max(t> — r, r + 1) or /i < min(r, v — r — 1) 
for r < fi < v — r. 



□ 



We will omit the proof because it is nothing more than a simple counting. 



Lemma 4. Let p be an odd prime and I = gcd(a,6). Let a' = a/l and 
b' = b/l. Then 



Proof. Let m = gcd(p a + l,p — 1). Now, p l = ±1 mod m will be proved. 
By Bezout's identity, / can be expressed as / = ax + by, where x and y are 
some integers. Then we have 



which means that m\p + 1 or m\p — 1. Now, m will be determined in the 
following three cases: 

Case 1) 2l\a; 

From ([6]), we have m\p 21 — 1. Since m\p 21 — 1 and a' is even, we have 
m\p a — 1. Since m\p a + 1, we have m\((p a + 1) — (p a — 1)), i.e., m\2. Since 
m > 2, we have m = 2. 
Case 2) For odd a' and even 6'; 

Since a' is odd and V is even, we have p l + l|p a + 1 and + — 1. 
Hence we have p l + l\m. From p l + l\m and ([6]), we have m — p l + 1. 
Case 3) For odd a' and odd 6'; 

Assume that m\p l + 1. Since m|p' + 1 and b' is odd, we have m\p b + 1. 
Since m|p 6 — 1, we have m = 2. Now, assume that m|p' — 1. Since m\p a — 1 
and m|p a + 1, we have m = 2. □ 




for odd a' and even 6' 



otherwise. 




■+by = ( p y(pby = (-l)*(l)f = ±1 mod m, 



(6) 
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Let Df(x) — f(x + 1) — f(x) and be the image of E^ under Df, that 

is, 

Ty = {D f (x)\x e Eij} 

where i,j G {0, 1}. Also, define the set b G Zy, as the set of elements 

x G Ey such that Df(x) = b. Let 9 : t h- >■ x be the bijective mapping from 
t to x given in Lemma [2j In the following Lemmas EHH the cardinalities 
of each Zy and ZYy(fo)'s, 6 G Z^-, will be determined. Let e = gcd(n, fc) and 
g = gcd(2n, k) in the remainder of this section. 

Lemma 5. For Zoo and Dj\e 00 , we have 
1) For an odd n/e; 

|Xoo| = (p n +P e -2)/(2(p e -l)) 



\U 00 {b)\ 



4 ' 
p e -5 

4 ' 
p e -l 

2 ' 



^ For an even n/e; 



-oo| 



■ p e -3 



|W 00 (6)| 



4 ' 
p e -5 

4 ' 
p e -l 

4 ' 
p e -l 

2 ' 



for b = 1 and p n = 3 mod 4 
for 6=1 and p n = 1 mod 4 
for 1) G Z 00 . 

3)/(2(p e -l)) 

for 6 = ±1 and p e = 3 mod 4 
for 6=1 and p e = 1 mod 4 
for 6 = —1 and p e = 1 mod 4 
for ±1) G Z 00 . 



Proof. From Lemma EJ Df(x)\E 00 is represented in terms of t as 

(p fc -i)t , ^-(P fc -i)t , , 

= ^ = M(a^) (7) 

where x = (a* — a _ ') 2 /4 and t varies over 7i for p n = 3 mod 4 and T2 for 
p n = 1 mod 4. Assume that there exist xi and X2(^ xi) in i?oo such that 
D f (x 1 ) = D f (x 2 ). Let ti = and £ 2 = e~ 1 (x 2 ). From it is 

straightforward that t\ and t 2 satisfy either 

v n - 1 

ti + t 2 = mod (8) 

p e - 1 v 7 
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or 



v n - 1 

t x = t 2 mod ^ -. (9) 

p e — 1 



Define the set 



g | {t ee ±/i mod f | t G 7i}, for p n = 3 mod 4 
1 {i ee ±/i mod v \ te X>}, for p n = 1 mod 4 

where u = (p n - l)/{p e - 1) and < u < [v/2\ . Then, from © and ©, all 
the elements in S^ give a single value M{a <yP in X o and the elements in 
each Sfj, give distinct values in X 00 . 

Therefore, |X o| is equal to the number of distinct sets S^'s. Since < 
\i < [v/2\ , |X 00 | is equal to (v + l)/2 for odd v and v/2 + 1 for even v. Note 
that v is even when n/e is even and odd when n/e is odd. 

Clearly, S M corresponds to Uoo(M(a^ p Thus, obtaining |W 00 (^)| f° r 

b G X o is finding out the cardinality of corresponding S M , which can be done 
easily by applying Lemma [3j 

Now, in the case when p n = 3 mod 4, we have 

= {t = ±/i mod v I t G 7i}. 
Since = + from Lemma [3], we have 



p e -i 



IS 



,, . for < fj, < \ 



Ml 1 p e -3 
4 ' 



for fi = 0. 



Since n/e is odd, i.e., t> is odd, in this case, we don't need to consider S„/2- 
Note that So corresponds to Uqo(1). 

Similarly, in the case when p n = 1 mod 4, we have 

S M = {t ee ±// mod f I i G T2}. 

Clearly, p e can be congruent to 3 or 1 modulo 4 in this case. Since p —r^- = 
^—t^-v + (| — 1) for p e ee 3 mod 4, from Lemma [3], we have 



IS, 



., . for < fj, < I 



Ml 1 p e -3 
4 ' 



for /i = or |. 
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Note that n/e is even, i.e., v is even, in this case, S v / 2 should be considered. 
Note that S corresponds to Woo(l) and S v / 2 corresponds to U 00 (—l). Since 
= ^-^-v + (v — 1) for p e = 1 mod 4, from Lemma [31 we have 

f 2^i, for < fi < f 
\S,\ = l^, for/i = 

[ ^jp, for /i = | and even -. 

Here, S' t ,/ 2 should be considered only when n/e is even. Note that 5 corre- 
sponds to W o(l) and corresponds to U o(—l). □ 

Lemma 6. ForXu and Df\E n , we have 
1) For an odd n/e; 



Pn{b)\ 



(p n +p e -2)/(2(p £ -l)) 

f for 6=1, p n = 3 mod 4, even A;/e 

or 6 = — 1, = 3 mod 4, odd A;/e 
^-p, for 6=1, p n = 1 mod 4, even fc/e 

or 6 = — 1, p n = 1 mod 4, odd fc/e 
for remaining 6 G In. 



p e -i 



2 ' 

^ For an even n/e; 

|X n | = (p n -l)/(2(p e -l)) 

|W n (6)| = (p e - l)/2 for any 6 G Z n . 
Proof. 

Case 1) For p n = 3 mod 4; 

By selecting 7 = —1 in ([3]), -Dj(x)|^ 11 is represented as 

D f (x)\ Eu = M((-l)^a^) = (-l)^M(a^- 1 )*) (11) 

where i G 71 and x = —(a* + a~*) 2 /4. 
Since 



-1^ 



, if p fc = 1 mod 4 
-1, if p fc = 3 mod 4 
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and t varies over 71, we have X 00 =I\\ for p k = 1 mod 4 and X o = — Xn for 
p k = 3 mod 4. Therefore, |X n | and |Wn(6)| are equal to |X 00 | and \U 00 (b)\ in 
Lemma O respectively. Note that n/e is odd in this case. 
Case 2) For p n = 1 mod 4; 

In this case, we select 7 = —a. Then X)/(x)|kh i s represented as 

^ki^K-")^"^ -1 *) (12) 

where t G T2 U {0} and x = -a(a l + a'^f/A. 

Assume that Df(xi) = Df(x 2 ) for two distinct elements x± and x 2 in E u . 
Let ti = and t 2 = 0~ l (x2). Then, from fTl2|) . and t 2 should satisfy 

ti +t 2 + 1 = mod v (13) 



or 



U = t 2 mod v (14) 

where t> = (p n — l)/(p e — 1). 

Note that 72 U {0} = Z P "-i . Let _Rj, < z < f — 1, be the equivalent 

4 

class congruent to % modulo v in Z P »-i . 

4 

From ( fl3l) and (T141 . we know that all the elements t in Ri U R v -i-i 
map to a single value in Xn. Thus, obtaining |Wn(6)| is just finding out 
the corresponding \Ri U When v is odd, i.e., n/e is odd, and i = 

(v — l)/2, i?j coincides with R v _i_i. In this case, we can easily check that 
any t in R( v -i)/2 maps to 1 for even k/e and —1 for odd k/e. Otherwise, 
|W al (6)| = (p e - l)/2, since \Ri\ = (p e - l)/4. □ 

Lemma 7. ForX w , X 01; Df\ El0 , and Df\ Eoi , we have 

1) For an odd k/e; 

Dj is bijective on both E w and E i so that |X 10 | = \E W \ = (1,0) and 
|X 01 | = |E i I = (0,1). 

1 ^ X 10 and 1 ^ X i . 

2) For an even k/e; 

|Xio| = |X i| = (p n +p e + 2)/(2(p e + 1)) 
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i 


for 6 = 1, 


p n = 1 


mod 4 


\U 10 (b)\ = < 


p e - 


3 


for b = 1, 


J9 n = 3 


mod 4 




14 


1 


for b& 1) 










1 


for 6=1, 


p n = l 


mod 4 


\U i(b)\ = < 




1 


for 6=1, 


J9 n = 3 


mod 4 




14 


1 


for 6(^ 1) 







Proof. 

Case 1) For I w and -D/|s 10 ; 

From Lemma [21 Df(x)\E 10 can be written as 

D f (x)\ El0 = M^- 1 ^- 1 *) = M(6 2 ^ k ~^) (15) 

where x = (5 2t — 5~ 2t ) 2 /4 and t varies over [1, (p n — 3)/4] for p n = 3 mod 4 
and over [1, (p n — l)/4] for p n = 1 mod 4. 

Let t = 6 l_1 (a;). Then from f lT5|) . ^(tx) and #(£2) give the same value of 
Df(x) if and only if 

t!±t 2 = 0modL (16) 

where L = (p n + 1)/ gcd(p k — l,p n + 1). From Lemma HJ L = (p n + l)/2 for 
odd fc/e and L = (p n + l)/(p e + 1) for even k/e. 

Now, consider the case when p n = 3 mod 4 and odd k/e. Since 7i = 
[1, (p n — 3)/4], no ti and t 2 in T\ satisfy ( IT^|) so that -D/ is bijective on .E^q. 
Note that there exists no t 6 71 such that t mod L = 0, that is, Df(x) 7^ 1. 
Hence we can conclude that |Xi | = |i?io| = (p n — 3)/4 and 1 ^ Zi . 

For the case when p n = 3 mod 4 and even k/e, we can use Lemma [3] by 
setting v = L = (p n + 1)/ (p e + 1). In this case, q and r become q = (p e — 3)/4 
and r = v — 1. Note that v is odd in this case. From Lemma [31 it is derived 
that |Wi (6)| = (p e + l)/2 for 6(^ 1) G Z 10 and |Z/ 10 (1)| = (p e - 3)/4. For the 
case when p n = 1 mod 4, the proof can be done similarly. 

Case 2) For J i an d -D/|b 01 ; 

In this case, Df(x)\E 01 can be written as 

D f (x)\ Eoi =M(5^ k -V) 

where x = (5 2t+1 — £-( 2m )) 2 /4 and t varies over [0, (p n — 3)/4] for = 
3 mod 4 and over [0, (p n — 5)/4] for p n = 1 mod 4. 
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Using the similar argument to the previous case, 0(ti) and 9(t 2 ) give the 
same value of Df (x) if and only if 



(2ti + l){p k - 1) ± (2*2 + l)(p fe - 1) = mod 2{p n + 1). 



(17) 



Then ( iT7j) can be rewritten as either 



*! — £ 2 = mod L 



(18) 



or 



ti + t 2 + 1 = mod L. 



(19) 



For the case when p n = 3 mod 4 and odd k/e, again -D/ is bijective on E i 
and there exists no x such that Df(x) = 1. Thus, |X i| = |i?oi| = (p n + 1)/4 
and 1 ^ X i . 

For the case when p n = 3 mod 4 and even fc/e, applying Lemma [3] to f fT8|) 
and (dHD yields that |W 01 (6)| = (p e + l)/2 for 6(^ 1) G X 01 and |W i(l)| = 
(p e + l)/4. For the case when p n = 1 mod 4, the proof can be done similarly. 



So far, we have investigated the cardinality of the images and the inverse 
images of Dfl^, i,j G {0,1}. In order to unify Lemmas [5H7] and see the 
overall mapping property of Df, we have to look into the relationship between 
X 00 , Xn, X 10 , and X 01 as in the following three lemmas. 

Lemma 8. ForZ 00 andXu, we have 



Proof. 

Case 1) For p n = 3 mod 4; 

In this case, k/e is even when p fe = 1 mod 4 and k/e is odd when p fc 
mod 4. In Lemma [6], we already showed that X o = Xn for p k = 1 mod 4 
and X o = — X 1X for p k = 3 mod 4. Thus, the remaining part is to show that 
any two elements a and —a cannot belong to X o- Assume that there are 
two distinct elements x\ and x 2 in -Eoo such that Df(x\) = —Df(x2)- Let 



□ 




n — 







for even - 

e 

for odd -. 
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ti = 6 1 (xi) and t 2 = 6 1 (x 2 ). Then from (J7J), it is easy to see that either 
a (j> k -i)h = _ a ( P k -i)t 2 or a (p k -i)h = _ a -(p h -m must hold But t h is is a 

contradiction because — a ±<yP _1 - ) * 2 is a nonsquare in F p n, whereas aS p ~ 1 ' tl is 
a square in F p n. Therefore, X o fl Xn = X o PI (— X o) = for odd fc/e. 

Case 2) For p n = 1 mod 4; 

Again, assume that there exist x\ G i?oo and x 2 G -En such that Df(xi) = 
D f (x 2 ). Let ti = r^a^i) G T2 and t 2 = ^" 1 (x 2 ) G T 2 U {0}. Then, from © 
and ffT2~j) . we have 

{-af^oc^- 1 ^ = or a"^" 1 )**. (20) 



For p fc = 3 mod 4, ( [20]) cannot be satisfied because the left-hand side of ( 1201) 
is a nonsquare in F p «, while the right-hand side of (J2"0]) is a square in F p n. 

fc fc 

For p fc = 1 mod 4, ([20]) implies that either 0,^(2*1+2^+1) _ 1 or a ^i(2t 2 -2t 
1, which further implies that either 2(ti + t 2 ) + 1 or 2(t 2 — t\) + 1 must be 
divisible by 2(p n — 1)/ (p e — 1) for odd k/e and (p n — 1)/ (p e — 1) for even k/e. 

Since 2(t 2 ± tx) + 1 is odd, we can easily see that the above is possible 
only when k/e is even and n/e is odd and that such t\ and t 2 can be always 
found in T 2 and T^UjO}, respectively. Note that n/e is always odd when k/e 
is even. Hence we conclude that X o = Xn for even k/e and X o HXn = 0, 
otherwise. □ 

Lemma 9. ForX w andX m , we have 

X 10 n X i = 0, for odd \ and p e = 3 mod 4 
Xio=X i, otherwise. 

Proof. Assume that there exist xi G £10 and x 2 G -E01 such that Df(xi) = 
Df(x 2 ). Let ti = 6^ 1 (xi) and i 2 = 9~ 1 {x 2 ). Then, from Lemma [2} we have 

^2ti(p fe -l) + £-2t x (pfc-l) _ 5 (2t 2 +l)(p fe -l) + £-(2t 2 +l)(p fc -l)^ (2\) 

Since <5 2 ( pn+1 ) = 1, the necessary and sufficient conditions for (l2Tj) to hold is 

2(t 2 ±tj) + 1 = mod L (22) 
where L = 2(p n + l)/gcd(2(p n + l),p k - 1). 
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Note that t x lies in [1, (p n - 3)/4] for p n = 3 mod 4 and in [1, (p n - l)/4] 
for p n = 1 mod 4 and £2 lies in [0, (p n — 3)/4] for p n = 3 mod 4 and in 
[0, (jo n - 5) /4] for p n = 1 mod 4. 

When L becomes even, which occurs only if k/e is odd and p e = 3 mod 4, 
f )22|) cannot be satisfied because the left-hand side of (1221) is odd. Hence we 
conclude that X m D Z 10 = in this case. 

Otherwise, it is not difficult to find t 2 satisfying ( I2"2"j) for each £1 because 
L is either (p n + l)/2 or (p n + 1)/ (p e + 1) which is odd. Since |2Tio| — l-^-oil in 
Lemma [TJ the proof is done. □ 



Lemma 10. Let S\ = Zoo U X\\ and S% 

— ft), 



X01 UX10. TTien we /jctve 
for odd - 

e 

for even -. 



Proof. The proof is in Appendix. 

Using the previous lemmas, the main theorem can be stated as follows. 

Theorem 2. For an odd prime p and d = {p k + l)/2, the differential spec- 
trum of the function f(x) = x d in¥ pn is given as ' 

1) For an odd k/e; 

1-i) For p e = 3 mod 4; 

if i = (the corresponding two Us are ± 1) 

if i = 



p"— -p" 

p e -l ' 
p"-l 

2 ' 
p"-3 



-1 ' 



0. 



if i = 1 
if i = 
otherwise. 



1-ii) For p e = 1 mod 4; 



'1, 


if i = » e + 3 


1, 


if i = 


pTl _pC 




4 ' 


if z = 2 


(p"-l)(3p e -7) 


if z = 


4(p e -l) ' 


,0, 


otherwise. 



(the corresponding b is 1) 
(the corresponding b is — 1) 
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2) For an even k/e; 



(l 



if i 



p e (the corresponding b is 1) 
p e — 1 
p e + 1 




if i 



otherwise 



if i 



if i 







where e = gcd(n, k). 

Proof. So far, we have derived |Xy|'s and |Wjj(6)|'s in Lemmas |3HZ1 From 
Lemmas [S] and we have seen that loo an d Xn are either disjoint or identical 
and so be Xoi and T\§. Finally, from Lemma [T0| we have seen that Too U Xn 
and X i U X w are either disjoint or almost disjoint. For the proof of this 
theorem, we have to combine these results. 

Case 1) Combining -D/|e 00 and D/|b u ; 

For the case when k/e is odd, we have \1 00 U In | = (p n + p e — 2)/ (p e — 1) 
because I o an( i %u are disjoint. For any b G (X o U X n ) \ {1,-1}, the 
cardinality of U (b), the inverse image in E 00 U E u of 6, is (p e — l)/2. For 
the elements ±1 e X o UX n , we have 



For the case when k/e is even, we have |XooUXn| = (p n +p e — 2)/(2(p e — 1)) 
since Xqo and Xn coincide. Also, we have 



Case 2) Combining I?/|^ 10 and X>/|e 01 ; 

For the case when k/e is odd, we have |X 10 UX 01 | = |X 10 | = |X 01 | = 
(p n - l)/4 for p e = 1 mod 4 and |X 10 U X 01 1 = |X 10 | + |X 01 | = (p n - l)/2 for 
p e = 3 mod 4. The cardinality of U\{b), the inverse image in E w U £"01 of 
b E (X 10 UX i), is 






2, for p e = 1 mod 4 
1, for p 6 = 3 mod 4. 
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For the case when k/e is even, we have |X 10 UX i| = |X 10 | = |X i| 
(p n + p e + 2)/(2(p e + 1)). Also, we have 



|Wi(6)| 



p e + i, if be (x 10 ux i)\{i} 



if 6=1. 



The unified mapping property of -D/|e 10 and -D/Uoi is that the cardinality 
of the inverse image in E w L)E i of each element in (Xi UX i)\{l} isp e + l and 
the cardinality of the inverse image in E\q U Eqi of the element 1 G Xio U Iqi 
is (p e - l)/2. 

Since i = 0,-1 ^ (_Ebo U En U £io U Eqi), we have to consider the 
case when x = and x = —1. It is easy to derive that -D/(0) = 1 and 
Df(—1) = (— + 3 )/ 2 . Finally, with Lemma [T0| we can combine the Case 
1) and Case 2). Hence the proof is done. □ 

Corollary 1. For an odd prime p and d = {p k + l)/2, the differential uni- 
formity Af of f(x) = x d inW pn %s cfiv&fi as 



A, 



for odd - 



2 ' 

k 



p e + 1, for even 

where e = gcd(n, k). □ 

The comparison with the existing bound in Theorem [Hand our new result 
in Corollary [2] is given in Table [TJ The bound in Theorem [1] is not tight 
for some cases of d = (p h + l)/2, whereas Theorem [2] provides the exact 
differential spectrum and A/ for d = (p k + l)/2. We can also explain some 
known PN and APN functions which belong to this function class. 

P "+i ! P n -i 

4. The Differential Spectrum of xp k + 1 2 in ¥ p n 

In this section, we consider the power function f(x) = x d with the power 

p n + 1 p n _l 

d = —. 1 

p k + 1 2 

where n/k should be odd. Note that only when p k = 3 mod 4, i.e., p = 
3 mod 4 and n is odd, there exists no inverse d^ 1 = (p k + 1)/2 which belongs 
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Table 1: Comparison between the existing bound in Theorem[T]and new result in Corollary 

m , , , , , , 



V 

1 


n 


k 


Upper bound on At in [61 


Explicit At (new result) 


5 


3 


2 


12 


6 


5 


5 


2 


12 


6 


5 


5 


4 


24 


6 


7 


3 


2 


24 


8 


7 


5 


2 


24 


8 


7 


5 


4 


48 


8 


7 


7 


2 


24 


8 


7 


7 


4 


48 


8 


7 


7 


6 


24 


8 


11 


3 


2 


60 
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to the function in the previous section. Hence, for an odd prime p such that 
p = 3 mod 4 and odd n with k\n, we calculate the differential uniformity and 

the differential spectrum of the power function f(x) = xp k+1 2 in ¥ p n. 
Define the functions hi(x) in F p n, 1 < 2 < 4, as 

^(x) =(x + 1) 2 + X 2 

7 / \ / 1 \ pfc + 1 pk + 1 

Il2\X) ={X + l) 2 — X 2 

r / \ / , s P k + 1 P k + 1 

h 3 (x) = — (x + 1) 2 +x 2 

r / \ / i \ pfc + 1 pk + 1 

ll4(X) = — [X + 1) 2 — X 2 . 

Let Aj(6) and Xi{b) be the number of solutions of 

hi(x) = b~^ (23) 

in E 00 and En, respectively. 

P "+i | p n -i 

Lemma 11. For /(x) = xp k+1 2 and 6 e F*„, N(l,b) is determined as: 
1) Forb^ ±1; 

Ml 6) = I Al(6) + As(6) + As(6) + A4(6) ' f ° r 6 G °° ^ {1} 
1 I + X2(6) + *»(&) + for 6 G d \ {-1}. 
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2) Forb = ±1; 
N{l,b) 



Ai(6) + A 2 (fo) + As(6) + A 4 (6) + 1, for 6 = 1 
+ X2{b) + xs(6) + X4(6) + 1, for 6 = -1. 



Proof. Consider the cases when x G F*„ \{ — 1}. Since gcd(p k + l,p n — 1) = 
2, an element x G E o can be expressed as x = u pL+1 and x + 1 = ^ pt,+1 for 
some v and ■0. If this x is a solution to Df(x) = b, then we have 

. P "-i P "+i . P "-i 
(ar + l)* 5 ^ 2 -s^+i 2 = ip 2 -v 2 = b. (24) 

By setting y = 6 _1 z/ 2 , we have y + 1 = b~ l ip 2 and thus y becomes the 
solution to 

(y + 1)— -y— =b-— . (25) 

Since the transformation x to y is one-to-one, each solution x G Eoo to 
Df(x) = b corresponds to either a solution y G E 00 to f l25|) for 6 G Co or a 
solution y G -En to fl25]) for b e Ci. 

Similarly, if x G -En is a solution to Df(x) = b, then by letting x + 1 = 
—ip pk+l and x = —u pL+1 , we have f !24p . Again by setting y = b~ x v 2 , we have 
y + 1 = b~ lr ip 2 . Thus y is a solution to 

, , p fe +i p fc +i p fc +i 
-(y + l)—+y—=b 2 . (26) 

Since the transformation x to y is one-to-one, each solution x G E n to 
-Dj(x) = 6 corresponds to either a solution y G E 00 to (f26|) for 6 G Co, or a 
solution y G En to (J2HD f° r b E C v 

Similarly, if x G E 10 is a solution to Df(x) = b, then by letting x + 1 = 
ip ph+l and x = — b> pk+1 , we have (T2~4|) . Again by setting y = b^ 1 ^ 2 , we have 
y + 1 = b~ l ip 2 . Thus y is a solution to 

, . p fc +i P fc +i p fc +i 

(y + 1)~ +y~ = b 2 . (27) 

Since the transformation x to y is one-to-one, each solution x G En to 
Df(x) = b corresponds to either a solution y G E o to ( 1271) for 6 G Co or a 
solution y G En to fl27J) for b G Ci. 
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Similarly, if x G E m is a solution to Df(x) = b, then by letting x + 1 — 
—ip pk+1 and x = u p +l , we have fliM]) . Again by setting y = 6 _1 z/ 2 , we have 
y + 1 = b~ l ip 2 . Thus y is a solution to 



-(2/ + l)~3--2/~2~ = 6 — 5~. (28) 

Since the transformation x to y is one-to-one, each solution x G -En to 
Df(x) = b corresponds to either a solution y G E 00 to ( 128"]) for 6 G Co or a 
solution y G -En to ((28]) for 6 G Ci. 

Since -Df(O) = 1 and Df(—1) = —1, we have completed the proof. □ 

Using the above lemma, the differential spectrum of f(x) can be derived 
as follows. 

Theorem 3. For an odd prime p such that p = 3 mod 4, odd n with k\n, 
and d = (p n + 1)/ (p h + 1) + (p n — l)/2 ; the differential spectrum of f(x) = x d 
in F p n is given as 

k i 

2, if i = p -^— (the corresponding two b's are ± 1) 



if i 



p k -l ' 2 

if z = 1 



2 ' 

if < = 
0, otherwise. 

Proof. From Lemma [TT] in order to determine N(l, b), we should calculate 
Yui=i ^t(^) anc ^ Si=i Xi(^) f° r ^ £ C and 6 G Ci, respectively. From Lemma 
El /ii(x) and ^(x) on -E 00 can be represented as 

a t( P k +i) + a -*(p fc +i) 

^lWko = g 

Wk = ^ (29) 

where x = (a* — « _ *) 2 /4 and t varies over 7i. Similarly, /ii(x) and /i2(x) on 
En can be represented as 

a t( P k +i) + a -*(p fc +i) 
MaOki = 3 

a *(p fc -i) + a -*(p fc -i) 
/12 (x) Uu = o (30) 
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where x = —(a* + a *) 2 /4 and t varies over T[- Note that hi(x) = —h^x) 
and h 2 (x) = —h 3 (x). 

Since gcd((p fc + l)/2,p n — 1) = 2, b~^~ in ( 123]) varies over Cq twice, 

p +i 

while b varies over F*„. Note that b = ±A give the same b ~ and one of 
±A is a square in ¥ p n and the other is a nonsquare in ¥ p n. Hence, in order 
to determine N(l, b) for b G F*„, we need to derive the mapping property of 
hi(x) — c, 1 < i < 4, where c is a square in ¥ p n, for x G E 00 and x G E u , 
respectively. Then, using Lemma [TTJ, the differential spectrum of f(x) can 
be determined. 

Define the sets as 

Uijk — {hi(x)\x G E jk }. 

For 6 G Co, we should consider the mapping property of hi(x) = c on 
i?oo, where c is a square in F p ». Assume that there exist xi,£2 G E 00 such 
that /ii(xi) = hi(x 2 ) for xi 7^ £2- Let t\ = 9~ l (x\) and t 2 = # _1 (x2)- Then, 
from (l2~9j) . it is easy to derive that + l)ti = ±(p h + l)t 2 mod p n — 1. Since 
(p + l,p n — 1) = 2, we have ti ± t 2 = mod (p n — l)/2, which cannot be 
satisfied because 1 < ti, t 2 < (p n — 3)/4. Hence we conclude that /ii(x)|E 00 
is injective on E 00 , that is, I'Hiool = l-^ool = (p n ~ 3)/4. 

Consider the mapping h 2 (x)\E 00 , which has the same form as ([7]). There- 
fore we can use the result when p n = 3 mod 4 in Lemma [5] and thus we have 
|^ 200 | = (p n +p k -2)/(2(p k -l)). The cardinality of the inverse image in Eqq 
of any element in ^200 \ {1} is {p k — l)/2 and the cardinality of the inverse 
image in E 00 of 1 G ^200 is (p k — 3) /4. 

Now, consider the relationship of the elements in T^ioo and %2oo- Assume 
that there exist Xi,x 2 G E 00 such that /ii(xi) = h 2 (x 2 ). Let t 1 = 9~ 1 {x\) and 
h = 0~ l (x 2 ). Then, from (l2Uj) . we have (p k + l)ti = ±(p k — l)t 2 mod p n — 1, 
which can be rewritten as 

^±4 ^ ± P -^ h mod (31) 
2 2 2 v 7 

Since gcd((p fc + l)/2, (p n — l)/2) = 1, {p k + l)/2 has an inverse modulo (p n — 
l)/2. Hence for any t 2 G 7i which is not divisible by (p n — l)/(p k — 1), there 
exists £1 G 7i satisfying fl3Tj) . Since £2 which is divided by (p n — l)/(p fc — 1) 
gives /^(z) = 1, we conclude that 1 G H200 an d ^100 D (^200 \ {I})- 

Since /i 4 (x) = — h±(x) and /^(x) = —h 2 (x), h^x^E^ has the same map- 
ping property with hi(x)\E 00 , and h 3 (x)\E 00 has the same mapping prop- 
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erty with h 2 (x) \e 00 - Furthermore, it is easy to check that "H^o = — "%ioo, 

%300 — — %200? and %400 ^ (^300 \ { — !})• 

It should also be checked that Hioo cannot include both y and —y. As- 
sume that there exist X\,x<i G -Eoo such that h\{x\) = —hi(x 2 ). From fl29|) . 
we have (p k + l)ti = ±(p k + l)t 2 + {p n — l)/2 mod p n — 1, which can be 
rewritten as 

n n — 1 

(p* + l)(h±t 2 ) = P -^— modp" - 1. (32) 

Since gcd(p fc + l,p n — 1) = 2 does not divide (p n — l)/2, ( 132]) cannot be 
satisfied. Hence we conclude that there exist no Xi,x 2 G -Eoo such that 
/ii(xi) = — hi(x 2 ). Consequently we conclude that %ioo H "H 40 o = 0. 

So far, we have investigated the mapping property of hi(x)\E 00 and the 
relationship among the elements in "Hjoo, 1 < i < 4. 

Now, we will calculate that iV(l,6) = Ai(6) + A 2 (6) + A 3 (6) + A 4 (6) for 
square 6 G F*„, which is the sum of the cardinalities of the inverse images 
in E 00 of the square element in F p n, &~(p 1+1 )/ 2 in ([23]) . Note that there are 
(p n — 3)/4 squares in %i oU% 40 o because ^loon^oo = and "Hioo = — %4oo- 
Since Hwo D (^200 \ {!}), ^400 D (^300 \ {-1}), and "H 2 oo = -^300, there 
are (p n — p k ) / (2(p k — 1)) squares in ("H 2 oo\{l})U'H3oo, which are also included 
in Hwo U %4oo- We can regard each square in Hi 00 U "H 2 oo U %300 U %400 as 
+i)/2 j n ( |23|) , From Lemma [TT] it is easy to check that for each square 
c in ("H2oo \ {1}) U "H300) ^(1,^) = (p k + l)/2 and for each square c in 
("Hioo U "%4oo) \ (^200 U %30o), N(l, 5) = 1, where S is a square in F p n such 
that 5-(^+ 1 )/ 2 = c. For 6=1, from Lemma dH N(l,b) = (p k - 3)/4 + 1 = 
(p k + l)/4. Let rij denote the number of b G F p n, which are squares in F p n, 
such that N(l,b) = i. Then, n( p fc +1 )/ 2 = (p n — p k )/(2(p k — 1)), ri( p fc +1 )/ 4 = 1, 
n a = (p"-3)/4-(p"-p fc )/(2(p fc -l)), and n = (p n - l)/2 - n (pfc+1)/2 - m. 

Consider the case when 6 G C\. From (129]) and ( |30]) . note that 6.i(a;)|,E 00 = 

^2 1 En, M^Uoo = ^4 1 En, M^OIeoo = h 3 1 En, and /i 3 (^)|e o = ^Uu- Since 
£ varies over 71 for both x G -Eoo and x G -En, they have the same mapping 
property, which means that for b G C\, the distribution of N(l,b) is the 
same as the case when b G Cq. Taking that N(l, b) = 1 when 6 = into 
account, it is derived that u^ p k +1 y 2 = 2n^ p k +1 y 2 = {p n —p k )/((p k — 1)), 
uv +1)/4 = 2n (pk+l)/A = 2, Wl = 2m + 1 = (p» - l)/2 - (p m - p fc )/((p fc - 1)), 
and cu = P n - ^(p fc +i)/2 - w ( P fe +i)/4 _ w i- 

□ 



21 



Corollary 2. For an odd prime p such that p = 3 mod 4, odd n, k\n, and 
d = (p n + l)/{p k + 1) + {p n — l)/2, the differential uniformity of the function 
f(x) = x d in F p n is given as Af = (p k + l)/2. □ 

From the results, new power functions which are differential 4-uniform 
and 6-uniform are introduced as in the following corollaries. 

Corollary 3. Let d = (p n + l)/8 + (p n - l)/2. Then x d defined on ¥ p n is 
differential 4-uniform for p = 7 and odd n. □ 

Corollary 4. Let d = (p n + 1)/12 + (p n - l)/2. Then x d defined on ¥ p n is 
differential 6-uniform for p = 11 and odd n. □ 

5. Conclusion 

In this paper, the differential spectrum of the two power functions x~^~ 
p"+i | p"-i 

and xp k+1 2 in F p « are derived. The result can be used to determine 
the differential uniformity Af of the two power functions. Two new power 
functions in ¥ p n which are differential 4-uniform and 6-uniform are also found. 

Appendix 

Proof of Lemma [KB 

Case 1) Relationship between I 00 and Z 10 ; 

Assume that there exist X\ G Eqq and x 2 G E 1Q such that Df(xi) = 
Df(x2). Let t\ = 6~ l (xi) and t% = 6~ 1 (x2)- From Lemma [21 we have 

Since a = (3 pn+1 and 5 = /^p"" 1 )/ 2 , ((33]) is satisfied if and only if 

[{p n + l)h ± {p n - l)t 2 ]{p k - 1) = mod {p 2n - 1). (34) 
Then ( 1341 can be rewritten as 

{p n + l)t, ± (p n - l)t 2 = mod (35) 

p 9 — 1 
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where gcd(p k — l,p 2n — 1) = p 9 — 1. 
Note that 



,p 2n — 1 n i iN Jp n + 1, if g = e 

p"+i 
p e +i ' 



gcd(V — ,^ + 1) = ' " (36) 

- 1 fexr, if P = 2e. 



Consider the case when g = e, i.e., k/e is odd. For the solvability of 
Q3U, ±(p n - l)t 2 should be divided by p n + 1. Since gcd(j» n + l,p n - 1) = 2, 
t 2 should be divided by (p n + l)/2. Since t 2 varies over [1, (p n — 3)/4] for 
p n = 3 mod 4 and [1, (p n — l)/4] for p n = 1 mod 4, t 2 cannot be divided by 
(p n + l)/2. Hence we conclude that Z 0Q nZ w = for odd k/e. 

Next, consider the case when g = 2e, i.e., k/e is even. From ( 135]) . {p n +l)t\ 
should be divided by gcd(p n — 1, (p 2n — 1)/ (p 2e — 1)) = (p n — 1)/ (p e — 1). Since 
gcd((p n — l)/(p e — l),p n + 1) = 1, ti should be divided by (p n — l)/(p e — 1), 
which means that I Q0 flX 10 = {1} for even k/e. 

Case 2) Relationship between X n and X 10 ; 

For the case when p n = 3 mod 4 and p fc = 1 mod 4, we already proved 
that X 00 = Xn. Since g = 2e, i.e., k/e is even, in the case, we conclude that 
Xn flXio = {1} for even k/e. 

Consider the case when p n = 3 mod 4 and p fc = 3 mod 4. Note that 
g = e, i.e., fc/e is odd in the case. We can prove this case similar to Case 1). 
Assume that there exist X\ G En and x 2 G i?io such that Df{x\) = Df(x 2 ). 
Let t\ = 6^ 1 (xi) and t 2 = ^ _1 (x 2 ). From Lemma |2J we have 



In _ i 

(p* _ l)[(p" + l) tl ± (pn _ !) f2 ] = mod (p2n _ 1} _ (37) 

Then ( 13T1) can be rewritten as 

„2n _ i „2n _ i 

(p n + l)ti ± (p n - l)t 2 = -V - mod y - (38) 

yy ' yy ' 2(p e - 1) p e - 1 v ; 

where gcd(p fc - 1, (p 2n - 1) /2) = p e - 1. For the solvability of (EHJ), ±(p n - l)t 2 
should be divided by (p n + l)/2. Since gcd((p n + l)/2,p n - 1) = 2, t 2 should 
be divided by (p n + 1)/4. Since t 2 varies over [1, (p n — 3)/4] for p n = 3 mod 4, 
£ 2 cannot be divided by (p n + l)/4. Hence we conclude that X o HXio = for 
odd k/e. 

Next, consider the case when p n = 1 mod 4 and p k = 1 mod 4. Assume 
that there exist X\ G -En and x 2 G -E 10 such that Df(x\) = Df(x 2 ). From 
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Lemma |2] and by setting 7 = —a, we have 

k 1 

(p k - l)[(p n + l)ti ± (p n - l)t 2 ] = -^—(p n + 1) mod (p 2n - 1). (39) 



Note that g can be equal to either e or 2e in this case. For the case when 
g = e, i.e., fc/e is odd, fl39l can be rewritten as 

?—^\(p n + l)h ± (p n - l)t 2 ] = -— — ■ ^—^ mod p2n ~ 1 . (40) 

From (HOI . (p n — l)t 2 should be divided by (p n + 1)/2. Since gcd(p n — 1, (p n + 
l)/2) = 1, t 2 should be divided by (p n + l)/2. Note that t 2 varies over 
[1, (p n - l)/4]. We conclude that X n r\X 10 = for odd fc/e. 

For the case when g = 2e, i.e., fc/e is even, (139]) can be rewritten as 

+ m ± (P B - l)t 2 ] - • P — mod (41) 

Fromgcd((p 2n -l)/(p 9 -l),(p n + l)/2) = (p n + l)/(p e + l) and gl]), (p n -l)t 2 
should be divided by (p n + l)/(p e + l). Since gcd(p n — 1, (p n + l)/(p e + l)) = 1, 
t 2 should be divided by (p n + l)/(p e + l). From LemmaHJ we have p e +l\p k — 1. 
Hence t 2 which is divided by (p n + l)/(p e + 1) gives Df(x) = 1, which means 
that Xn flXio = {1} for even fc/e. 

The case when p n = 1 mod 4 and p fc = 3 mod 4 can be proved similarly. 

Case 3) Relationship between X 00 and X i; 

We already proved that Xxq D X i = for p e = 3 mod 4 and odd k/e 
and X 10 = X i, otherwise. Hence we only need to consider the case when 
p e = 3 mod 4 and odd fc/e in Case 3) and Case 4). Note that p k = 3 mod 4 
in this case. 

First, consider the relationship between Xoo and X01. Assume that there 
exist %i G -E00 and x 2 G £01 such that Dj(xi) = Df(x 2 ). Let t\ = 9~ 1 (xi) 
and t 2 = 0~ 1 {x 2 ). Again, we have 

(p fc - l)[(p n + ± (^— + (p n - l)t 2 )} = mod (p 2n - 1), (42) 
which can be rewritten as 

V-r[(p" + l)ti ± (^— + (p n - l)f 2 )] ss mod . (43) 
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For the solvability of (USD, (p n - l)/2 ± (p n - l)t 2 should be divided by p n + 1, 
which is given as 



» n - 1 

(l±2t 2 ) = mod (p n + 1). (44) 

For p n = 3 mod 4, the left-hand side is odd, while the right-hand side is even, 
which is a contradiction. For p n = 1 mod 4, since gcd((p n — l)/2, p n + 1) = 2, 
1 ± 2t 2 should be divided by (jo n + l)/2. Assume that 1 + 2t 2 = (p n + l)/2. 
Then t 2 should be (p n — l)/4. However, since t 2 varies over [0, (p n — 5)/4], it 
is impossible. Therefore, we conclude that X 00 fl X 01 = 0. 
Case 4) Relationship between X n , and 2oij 

Next, consider the relationship between I n and X i. Assume that there 
exist X\ G E\\ and x 2 G E m such that Df(x\) = Df(x 2 ). For the case when 
p n = 3 mod 4, by setting 7 = — 1, we have 

n _ I 2n _ 1 

(p k - l)[(p n + l)t! ± (^— + (p" - l)t 2 )] = V -^— mod (p 2 " - 1), (45) 

which can be rewritten as 

v k — 1 v n — 1 P n + 1 P n — 1 v 2n — 1 

\(p n + ± + (p n - l t 2 = • mod -. 

p e -V yF ! v 2 v ^ ' n 2 p e - 1 p e - 1 

(46) 

For the solvability of (@6D, (p n - 1) (l ± 2(p n - l)t 2 ) /2 should be divided by 
Qo n + l)/2. Since gcd((p n - l)/2, (p n + l)/2) = 1, 1 ± 2(p" - l)t 2 should be 
divided by (p n + l)/2. Since (p n + l)/2 is even and 1 ± 2(p n - l)t 2 is odd, it 
is a contradiction. Hence we conclude that X o fl X i = 0. 

For the case when p n = 1 mod 4, (p n — 1)/2(1 ± 2t 2 ) should be divided 
by (p n + l)/2. Hence 1 ± 2t 2 should be divided by (p n + l)/2. Assume that 
1 + 2t 2 is divided by (p n + l)/2. Then t 2 should be equal to (p n — l)/4, which 
is a contradiction because t 2 < (p n — 5)/4. Therefore, X o HX i = 0. 

From Case 1)-Case 4), the proof can be done. □ 
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